The campaign is dubbed “DB#JAMMER,” it involves threat actors exploiting vulnerabilities in poorly secured Microsoft SQL servers to deliver Cobalt Strike and a ransomware strain called FreeWorld.
How does it work?
Hackers use different tools, like programs to find information, software that can take control of your computer remotely [Remote Access Trojan (RAT) payloads], and some tools to break into systems and steal passwords. Finally, they use a ransomware program to lock up your computer and demand money to unlock it.
Attack process
- Initial access is gained through brute-forcing the MS SQL server.
- The attackers then enumerate the database and leverage the xp_cmdshell configuration option to run shell commands and conduct surveillance.
- Steps are taken to impair the system firewall and establish persistence by connecting to a remote SMB share to transfer files and install malicious tools such as Cobalt Strike.
- AnyDesk software is distributed, followed by the deployment of the FreeWorld ransomware.
- Lateral movement within the victim’s network is also attempted.
This year, there have been many ransomware attacks, but people are paying less often to get their files back, to a record low of 34%, but when they do, they reach $740,144, up 126% from Q1 2023.
How to protect?
Here are some tips for protecting your Microsoft SQL servers from ransomware attacks:
- Use strong passwords and keep them up to date.
- Enable two-factor authentication.
- Keep your SQL Server software up-to-date.
- Safeguard your SQL Server servers with a firewall to prevent unauthorized access.
- Employ intrusion detection and prevention systems to identify and thwart malicious actions.
- Back up your data regularly and keep your backups offline.
- Have a plan in place to recover from a ransomware attack.
This information underscores the importance of robust cybersecurity measures, such as securing Microsoft SQL servers with strong passwords, regularly updating software and security patches, and maintaining reliable backups to mitigate the impact of ransomware attacks. They pay a lot more.
via HackerNews
